You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2004/08/24 04:02:28 UTC
DO NOT REPLY [Bug 30814] New: -
Management of the principal in the function org.apache.catalina.security.SecurityUtil.execute()
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=30814>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=30814
Management of the principal in the function org.apache.catalina.security.SecurityUtil.execute()
Summary: Management of the principal in the function
org.apache.catalina.security.SecurityUtil.execute()
Product: Tomcat 5
Version: 5.0.27
Platform: All
OS/Version: All
Status: NEW
Severity: Major
Priority: Other
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: jjureta@videotron.ca
Hi,
I found that the function org.apache.catalina.security.SecurityUtil.execute
does not cover all the cases (oh yes, the last modifications are mine):
- if the parameter principal is null and the session is not, the new subject
is created without any principal (this happened when filters are used). When
this function is called next time with the principal which is not null, that
principal is not added to the subject, function is executed without that
principal;
- if subject in the session contains the principals different from the one
passed as the parameter to the function, the new principal is not added to the
subject in the session.
I have one question: why the principal is passed to this function and not the
subject?
I propose to change the function execute() to:
private static void execute(final Method method,
final Object targetObject,
final Object[] targetArguments,
Principal principal)
throws java.lang.Exception{
try{
Subject subject = null;
PrivilegedExceptionAction pea = new PrivilegedExceptionAction(){
public Object run() throws Exception{
method.invoke(targetObject, targetArguments);
return null;
}
};
// The first argument is always the request object
if (targetArguments != null
&& targetArguments[0] instanceof HttpServletRequest){
HttpServletRequest request =
(HttpServletRequest)targetArguments[0];
HttpSession session = request.getSession(false);
if (session != null){
subject =
(Subject)session.getAttribute(Globals.SUBJECT_ATTR);
}
if(principal != null) {
if (subject == null){
// Create the new Subject
subject = new Subject();
subject.getPrincipals().add(principal);
} else {
// Add the new Principal to the Subject if needed
if (!subject.getPrincipals().contains(principal))
subject.getPrincipals().add(principal);
}
if ((session != null) && (subject != null)) {
// add the subject to the session
session.setAttribute(Globals.SUBJECT_ATTR, subject);
}
}
}
Subject.doAsPrivileged(subject, pea, null);
} catch( PrivilegedActionException pe) {
Throwable e = ((InvocationTargetException)pe.getException())
.getTargetException();
if (log.isDebugEnabled()){
log.debug(sm.getString("SecurityUtil.doAsPrivilege"), e);
}
if (e instanceof UnavailableException)
throw (UnavailableException) e;
else if (e instanceof ServletException)
throw (ServletException) e;
else if (e instanceof IOException)
throw (IOException) e;
else if (e instanceof RuntimeException)
throw (RuntimeException) e;
else
throw new ServletException(e.getMessage(), e);
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org